Expert developed a Mac malware that lies in wait for user to start video apps

Mac malware could spy on users by piggybacking on webcam sessions started by legitimate applications such as FaceTime, Skype and Google Hangouts.

Security experts are worried about the presence of a new Mac malware in the wild that attempt to record video via the built-in webcam. The principal problem for this family of spyware is that they are not able to turn on the camera’s LED, a circumstance that can alert the victim.

Back in 2013 a group of experts at the USENIX conference demonstrared how to disable the MacBook Webcam indicator LED without admin privileges or physical access. The technique was successfully tested on some older iMacs and MacBooks, but the new malware represents a novelty in the actual threat landscape.

This new Mac malware leverages on a different mechanism to hide its activity, it is able to silently spy on users by piggybacking on webcam sessions started by legitimate applications such as Skype, Google Hangouts, and FaceTime.

According to Patrick Wardle who developed the malware, former NSA expert and director of research at Synack, when one of the above applications enables the built-in webcam, users are not suspicious the LED lights, although someone is spying on them.

Wardle has developed its malicious code to monitor the system for legitimate user-initiated video sessions during which they secretly record the victim, and he has done it without root privileges.

Wardle has developed a proof-of-concept Mac malware that can exploit the built-in camera and monitor its status in an effort to spy on victims when it is turned on.

The malware uses the same session during which the LED is on to record both video and audio from the webcam.

The Wardle technique was not used by Mac malware in the wild, but it is not difficult to predict a rapid implementation by VXers.

Wardle also devised a tool, dubbed OverSight, to detect such kind of attacks. The OverSight monitors the microphone and webcam usage via user-mode APIs while running in the background.

When the microphone became active OverSight shows the message “Audio Device became active,” while when the camera is turned on id displays users the message “Video Device became active” notifying also the name of the process that wants to access the device. The user can then decide to allow or block the action.

The experts Wardle is well known to IT security industry, in April he developed RansomWhere, a free ransomware detection tool for the protection of Mac OS X systems.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Mac malware, spyware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.